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Abstract 

This paper presents a special subset of the first-order predicate logic named ^-program 
calculus (briefly S'-calculus). The S'-calculus is a calculus consisting of so-called ^-formulas 
that are defined over the abstract state space of a virtual machine. We show that S-formulas 
are a highly general tool for analyzing program semantics inasmuch as Hoare triplets of total 
and partial correctness are not more than two S-formulas. Moreover, all the rules of Hoare 
logic can be derived using S- formulas and axioms/theorems of first-order predicate calculus. 
The S-calculus is a powerful mechanism for proving program correctness as well as for build- 
ing additional proving tools using theorems of the predicate logic. Every proof is based on 
£f>^ ' deriving the validity of some S-formula, so the procedure may be automated using automatic 

theorem provers (we will use Coq in this paper). As an example of the use of S-calculus, we 
will prove the four basic properties of Dijsktra's operator wp. The proofs given by Dijkstra 
are not completely formalized and we will show that a full formalization can be achieved using 
l_J , S-calculus. Finally, we add one more theorem to the above-mentioned four, namely the law 

of negation. 
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1 Introduction 

The key motivation for this research is the idea that programs may be treated as predicates 
and/or Boolean expressions [28] [24] [19] [32] [23] [20] [21]. The connection between Floyd-Hoare logic 
[15] [22] and predicate logic is outlined in the papers of Cook [10] and Blass and Gurevich [7], 
where they use it to analyze the completeness of Hoare logic [2]. Blass and Gurevich consider 
the possibility of incorporating first-order predicate logic into Hoare logic, but they conclude that 
it would significantly increase the complexity of the latter. In our opinion, it is not necessarily 
the case: it is possible to generalize the ideas of Hoare logic on the abstract state space and 
simultaneously simplify proofs, if the interpretation domain is strictly separated from the domain 
of the abstract state space. Back, Akademi and von Wright [3] have developed the idea of a 
special program calculus called refinement calculus, which was meant to combine Hoare's ideas 
with predicate logic. They solved the problem of indeterminism in the total/partial correctness 
formulas by introducing additional formulas of angelical and demonical correctness [4] , but at the 
price of increasing the complexity of refinement calculus. Our idea is to develop a program calculus 
that associates Hoare logic with first-order predicate logic and clearly separates the interpretation 
domain from the abstract state domain (similarly to [27]). Secondly, it must not have any problems 
with indeterminism. Finally, it must treat total/partial correctness directly, i.e. without any 
requirement for additional concepts and formulas. 

In this paper, we will present the development of ^-program calculus (briefly S'-calculus), which 
represents a mathematical tool for the program semantics analysis [26] . Generality of the S-calculus 
stems from the fact that it is built around so-called S-formulas that are defined on the abstract 
state space and not on any of its interpretations, which was the reason for naming it " S-calculus" , 
after the word "state". Simultaneously with the development of S'-calculus, we will discuss the 
following six issues: 
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1. ) The S-calculus uses an abstract state space and is a general tool for describing program 

semantics. 

2. ) Hoare's formulas of total and partial correctness are no more than two particular S-formulas. 

3. ) The S'-calculus is based on the axioms and theorems of first-order predicate logic. The 

assignment statement and standard syntax units (such as if-then, if-then-else, while etc.) are 
defined using S-formulas so there is no need for special axioms and rules, as in Hoare logic. 

4. ) Variable declaration is also described using appropriate S-formulas. 

5. ) The general rules of Hoare logic are theorems in S'-calculus and can be derived using axioms 

and theorems of first-order predicate logic. 

6. ) Proofs in the S-calculus are simple since they rely only on the results of first-order predicate 

logic. Moreover, they lend themselves to automation using standard theorem provers, making 
it easier to introduce new rules and theorems. 

The axiomatic system of S-calculus consists of the axioms of first-order predicate calculus. Each 
theorem in the predicate calculus is also a theorem in the S-calculus and vice versa. In Section 2, 
we will present the basic components, the axioms and several theorems in the S-calculus. 

Hoare logic incorporates the formulas of total and partial correctness, the assignment axiom 
and numerous rules [1] [17]. The formulas of total and partial correctness are customarily denoted 
respectively by {P}S{Q} and P{S}Q and their meaning is given in a descriptive form. Instead 
of this, the S-calculus introduces strict mathematical notation for both formulas treating them as 
two special S-formulas. This will be discussed in Section 2. 

In Section 3, we will show that the general rules of Hoare logic are theorems in the S-calculus 
that can be derived using solely the axioms and theorems of predicate logic. It follows that Hoare 
logic is a special case of the S-calculus and consequently a special case of first-order predicate logic. 

Hoare's assignment axiom and the rules for special syntax units are not needed in the S-calculus. 
They are considered as special S-formulas or, more precisely, as S-relations, where the term "S- 
relation" refers to a binary relation on the abstract state space. For example, the assignment 
statement a := e; is an interpretation of the appropriate S-relation S a:=e: introduced by definition. 
In Section 4, we will show the definitions of S-relations, the interpretations of which are the 
statements no-operation, assignment, if-then-else, if-then, while and the sequence. In addition, 
we will introduce a special S-formula whose interpretation is variable declaration. Owing to its 
generality, the S-calculus allows variable definition to be considered as a special syntax unit, which 
is a problem in theories that use interpreted state space [8] [12] [16] [17] [30]. This opportunity is 
especially important for programming languages in which the declaration is an ordinary statement 
(as in Java), because it makes automated correctness proofs possible [27]. 

Dijkstra has formulated the four basic theorems concerning the weakest precondition wp: the 
law of the excluded miracle, the law of monotonicity, the law of conjunction and the law of dis- 
junction. From the mathematical point of view, these proofs are not strictly formal [14] [18]. In 
Section 5, we will prove these theorems in a strictly formal way. In addition, we will prove the 
fifth basic law, namely the law of negation. Finally, we will provide the formal proof of Dijkstra's 
theorem on total correctness. 

The aim of this paper is not to lessen the importance of Hoare logic. On the contrary, we try to 
generalize the basic ideas by raising its domain to the level of abstract state space. The S-calculus 
is supposed to serve as a mathematical bridge between Hoare logic and the formalism of classical 
predicate calculus. Connecting Hoare's ideas with predicate logic is of significant importance. In 
such connection Hoare logic is an appropriate mechanism for describing program syntax, while in 
its background predicate logic stays with its powerful mathematical proving tools. Accordingly, 
proving program correctness [13] [5], as well as building new theorems in the S-calculus conforms 
to the validity proofs of appropriate S-formulas. Based on that, we may conclude that for proving 
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program correctness and new theorems we need rather uncomplicated mathematical tools such as 
axioms, theorems and proving procedures of first-order predicate logic [9] [11] [25] [29]. Moreover, 
5-calculus lends itself to automation, i.e. the above-mentioned proofs can be automated by using 
theorem provers. We will demonstrate those possibilities using the prover Coq [6] [31]. 



2 The Basic Components 

The basic components of the S'-calculus are: 

The set of abstract states (abstract state space) A, 
State variables (^-variables) x, y, z, . . . , 
State constants (5-constants) si, s 2 , S3, • • • , 
^-predicates P,Q, R, . . . , 
S-relations Si, S 2 , S3, ... , 
S-formulas Fi , F 2 , F 3 , . . . , 
Program variables a, 6, c, . . . , 
Program constants ci , C2 , c 3 , . . . , 

The set of logical operations {-1, A, V, =>, <^=>}, where -1 is negation, A is conjunction, V is 
disjunction, =>■ is implication and <^> is equivalence, 

Set of logical constants {T, _L} where T represents true and _L represents false, 
Brackets ( ) and [ ] for changing the priority of operations. 

Each S'-constant describes an abstract state of the virtual machine. The set A of abstract 
states is a set of all S-constants. ^-predicates are logical functions over the abstract state space, 
i.e. P : A — > {T, _L}. Also, we need two special S-predicates r and <f) defined by 



(TAU) yx e A, t(x) = T, 
(PHI) Vx £ A, 4>{x) = J_. 



5-relations are relations on the abstract state space, i.e. 5* C A x A. In other words, 5-relations 
are logical functions on the set A x A, i.e. £ : A x A — > {T, _L}. 

Definition 2.1 S-formulas are obtained in the following way: 

a. ) S '-predicates and S-relations are S-formulas. 

b. ) If Fi and F 2 are S-formulas then ->Fi, Fi AF 2 , F1VF2, Fi => F 2 , Fi F 2 are also S-formulas. 

c. ) Any formula obtained from a.) and b.) in a finite number of steps is an S-formula. 

Let {vi, v 2 , . . . ,v n } be a set of program variables, which take values from sets D\, D 2 , . . . , D n 
respectively. Let A' be a subset of A, with the cardinality Card(A') — Card(D\ x D 2 x • • • x D n ). 
Interpretation of the set A with respect to the set {vi,v 2 , . . . ,v n } is a bijection that maps any 
S'-constant from A' to the appropriate vector of program constants from D\, D 2l . . . , D n (usually 
called state vector). S- relation S(x, y) contains ordered pairs (x, y), where x £ A is the initial state 
and y £ A is the final state. Interpreted restriction of S'-relation on the set A' is called syntactic 
unit on program variables {vi, v 2 , ...,«„}. A syntactic unit may be written in many different ways 
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(program code is one of them), and it can refer to a statement, block, subprogram or program. 
We will use a term "predicate" for an interpreted restriction of S-predicate on the set A', knowing 
that it is actually a boolean expression over program variables {vi,v 2 , • ■ , "„}. This means that we 
observe two domains: the abstract state domain with S-constants, S- variables, S-predicates and 
S-relations and the interpretation domain with vectors of program constants, program variables, 
predicates and syntactic units. To simplify, S-constant is interpreted as a vector of program 
constants from the set D\, D 2 , ■ ■ ■ , D n , S-predicate is interpreted as a boolean expression, and 
S-relation as a syntactic unit with program variables {wi, v 2 , • • • , v n }. Interpretation is denoted by 
" :" . For example, x:a>0A& = 5 means that S- variable x represents all states in which program 
variables a and b satisfy a > and b = 5. 

The symbol -f-> means " abbreviation" . If a is a token and F is an S- formula then a <-> F means 
" a is an abbreviation for F" . If F\ and F 2 are two S- formulas with the same form, we say that 
Fx is syntactically identical to F 2 , and write F\ = F 2 . If F\ and F 2 have the same meaning but 
not the same form, they are semantically equivalent, denoted by F\ = F 2 . 

S-calculus consists of S-formulas and is based solely on axioms and theorems of the first-order 
predicate logic. It means that, among other things, the formulas {P}S{Q} and P{S}Q are just 
two S-formulas: 

a. ) Total correctness formula (TCF): 

Vx[P(x) => (3yS(x, y) A Vz(S(x, z) =► Q(z)))] . 

b. ) Partial correctness formula (PCF): 

Vx[(P(x) A 3yS(x, y)) Vz(S(x, z) =► Q(z))\ . 

When writing S- formulas we will obey the usual priority conventions, where the order of priority 
is: negation -1, conjunction A, disjunction V, implication =>■, equivalence <^>. The priority can be 
changed by using brackets ( ) and [ ] . 

Firstly, by using the formulas (TCF) and (PCF) we can formally define the total and partial 
correctness of an S'-relation with respect to S-predicatcs: 

Definition 2.2 S-relation S is totally correct with respect to precondition P and postcondition Q 
if the S-formula \fx[P(x) =>• (3yS(x,y) A Vz(S(x, z) => Q(z)))] is valid. 

Definition 2.3 S-relation S is partially correct with respect to precondition P and postcondition 
Q if the S-formula Vx[(P(x) A 3yS(x, y)) Vz(S(x, z) => Q(z))] is valid. 

Hoare's total correctness formula, denoted by {P}S{Q} 7 is defined by the statement "if the 
syntax unit S starts in a state satisfying the predicate P, then it terminates in a state satisfying the 
predicate Q" [17]. The connection between this sentence and the formula (TCF) is apparent: if 
for every state x the S'-predicate P holds, then the S-formula Vx3j/S(x, y) A VxVz(S(x, z) => Q(z)) 
is true. The state x is then called the initial state. The formula Vx3yS(x, y) means that for every 
initial state x there exists a state y such that (x, y) £ S. The state y is then called the final state. 
The meaning of the S-formula VxVz(S(x, z) => Q(z)) is the following: if for every initial state x 
and every state z it is true that (x, z) £ S, then in the state z the S-predicate Q is true. 

Hoare's partial correctness formula, denoted by P{S}Q, is defined by the statement "if the 
syntax unit S starts in a state satisfying the predicate P and if it terminates then the final 
state satisfies the predicate Q" [17]. In terms of the S-calculus, we assert: if for some state x 
the predicate P holds and if there exists a final state y such that (x, y) £ S, then the formula 
VxVz(S(x, z) Q(z)) is true. 

Concerning the question of indeterminism, S-calculus does not require any additional formulas 
such as angelical or demonical formulas in refinement calculus [3], because the formulas (TCF) and 
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(PCF) contain VxVz(S(x, z) =$> Q{z)). Thus, S-calculus strictly implements Dijkstra's statement 
"Eventually I came to regard nondeterminacy as the normal situation, detcrminacy being reduced 
to a - not even very interesting - special case" [14]. 

The S-calculus is a special kind of the first-order predicate logic or, more precisely, it is a 
predicate logic over S-formulas. Its axiomatic system consists solely of the predicate logic axioms, 
provided that formulas F, G and H are now S'-formulas: 

(Ai) F^(G^F) 

(A 2 ) (F^(G^ H)) => ((F ^G)^(F^ H)) 

(A3) (-if =► ->G) ^(G^F) 

(At) \/xF(x) => F(t) (term t is free for x in F(t)) 

(A 5 ) Vx(F =>• G) =s> (F => VxG) (variable x is not free in F) 

The S-calculus uses the rules of inference from the first-order predicate logic (the symbols F 
and G stand for S'-formulas): 

a. ) Modus ponens (MPN): 

F,F^G 
G 

b. ) Generalisation (GEN) : 

F 

VxF 

All theorems i.e. valid formulas in predicate logic are also valid in the S-calculus and vice versa. 
We will briefly cite some well-known theorems of predicate logic that will be needed for further 
proofs in this paper (again, the symbols F, G, H and K stand for S-formulas and r and <f> are 



defined by (TAU) and (PHI) respectively): 




(Ti) 


VxVyF ^ MyMxF 




(T2) 


3xVyF \fy3xF 




(T 3 ) 


VxF <^F 




(n) 


Vx(F AG)o VxF A VxG 






VxF V VxG ^ Vx(F V G) 




(Te) 


-NxF 3x^F 




(Tr) 


MxF & \fx(F & t) 




(Ts) 


\/x(t F) VxF 




(T 9 ) 


Vx^F Vx(F & 4>) 




(Tio) 


Vx(F <=>FAF) 




(Tn) 


Vx(F ^FVG) 




(T12) 


Vx(->F V -iG) & Vx^(F A G) 




(T13) 


\/x(->F A -<G) <s> Vx^(F V G) 




(T14) 


Vx(F =^> G) ^ (VxF =► VxG) 




(Ti 5 ) 


Vx(F =^> G) ^ Vx(->F V G) 




(Tie) 


Mx[(F =>• H) A (H => G)] =► Vx(F G) 




(T17) 


Mx[(F ^G)A(H^ K)\ => Vx[(F V H) 


(G V K)] 


(Tis) 


Vx[(F ^G)A(H^ K)\ Wx[(F A H) 


=> (G A if)] 


(T19) 


Vx[(F => G) A (F H)] \/x(F ^ G A H) 


(T20) 


Vx[(F ^G)A(F^ H)} & Vx(F =>GVH) 


(T21) 


\/x[(F =► H) A (G => if)] Vx(F VG4 




(T22) 


Vx[(F =^ G) V (if => A - )] => Vx[(F A if) 


=► (GVif)] 



Program correctness or a new S-calculus theorem are proven by proving the validity of an 
appropriate S-formula. This needs a modest mathematical apparatus e.g. the axioms, theorems 
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and proof procedures of the first-order predicate logic. Moreover, it can be automated using various 
automatic theorem provers. 

An important detail is also the fact that the ^-calculus is based on the abstract set of states 
A. This means that when applying the Hoare logic we do not need an exact description of every 
abstract state, thus avoiding the use of the program state vector (vector of all program variables). 
It is known that the use of state vector introduces certain difficulties, since it is not quite clear 
how to model unknown values of program variables [14]. In addition, the state vector is associated 
with the specific program, and can not be related to the virtual machine when the program is not 
active. Subprograms also contribute to the problem because they have their own state vectors. 
On the other hand, the abstract state space is associated with the virtual machine itself so it is 
always meaningful, regardless of whether a particular program is active or not. In the S'-calculus 
the program state space A' is a subset of the virtual machine abstract state space A (A' C A) , and 
every program is a restriction on A' of the appropriate S-relation where S C A x A. 

3 General Laws of the Hoare logic 

In this section we will consider the general laws of Hoare logic [1] [17] such as the laws of consequence, 
disjunction, conjunction and negation. While the Hoare logic treats these laws as rules, we will 
treat them as theorems. Some of them will be proven using Coq automatic prover. 

Theorem 3.1 (Laws of Consequence) The following S-formulas are valid: 

a. ) \/x(P(x) => R(x)) A {R}S{Q} => {P}S{Q}, 

b. ) {P}S{R} A Vx(R(x) => Q{xj) => {P}S{Q}, 

c. ) \/x(U(x) P(x)) A Vx(Q(x) => V(x)) A {P}S{Q} {U}S{V}. 
Proof. 

a. ) Since: 

{R}S{Q} o \fx[R(x) => (3yS(x, y) A Mz{S{x, z) Q{z)))], 

the left side of the implication can be written as: 

Vx(P(x) =► R(x)) AVx[R(x) (3yS(x, y) A Mz{S{x, z) Q(z)))} 

and by the Theorem (Tig), we obtain: 

\/x[P(x) (3yS(x,y) AVz(S(x,z) =► Q(z)))], 

% 6 

{P}S{Q}. 

b. ) Since: 

{P}S{R} o Vx[P(x) ^ (3yS(x, y) A Mz{S{x, z) ^ R(z)))], 

the left side of the implication can be written as: 

Vx[P(x) => (3yS(x,y) A\fz(S(x,z) ^ R(z)))] A Vx(R(x) Q(x)) 

and by the Theorem (Tiq), we obtain: 

Vx[P(x) (3yS(x,y) AVz(5(x,z) =► Q{z)))], 

1 g 

{P}S{Q}. 

c. ) By the Theorem S.l.a.), the left side of the implication can be written as: 

Vx(Q(x) => V(x)) A {U}S{Q} 

and by the Theorem S.l.b.), we obtain: 

{U}S{V}. 



□ 
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The Theorems 3.1 also can be proven using automatic prover Coq (Appendix A). Finally, using 
by the Theorem (T 3 ), from Theorems 3.1 we can obtain the well-known Hoare's rules of conse- 
quence [1] [17] : 

(P^R),{R}S{Q} {P}S{R},(R^Q) (U =» P),(Q =» V),{P}S{Q} 

{P}S{Q} ' {P}S{Q} an {U}S{V} 



Theorem 3.2 (Laws of Conjunction) The following S-formulas are valid: 

a. ) {P}S{Q} A {R}S{W} => {P V R}S{Q VW}, 

b. ) {P}S{Q} A {R}S{W} => {P AR}S{Q AW}. 
Proof. 

a. ) Since: 

{P}S{Q} o Vx[P(x) => (3yS(x, y) A Vz(S(x, z) Q(z)))], 

{R}S{W} o Vx[R(x) (3yS{x,y) AVz(S(x,z) W{z)))\, 

by the Theorem (T17), the left side of the implication can be written as: 

Vx[(P(x) V R(x)) ((3yS(x, y) A Vz(S(x, z) =► Q{z))) V (3y5(x, y) A Vz(S(x, z) W(*))))] 

= Vi[(P(x)Vi?(x)) =4> 3y((s{x,y)AVz(S(x,z) => Q(z))) V (S*(x, y) A Vz(S(x, z) W(z))))] 

= \fx{(P(x) V R(x)) => 3yS(x, y) A Vz((S(x, z) Q(z)) V (S(x, z) W{z)))] . 

Then, by the Theorem {T 15 ), we obtain: 

Vx[(P(x) V R(x)) 3yS{x, y) A \fz(^S(x, z) V Q(z) V ->S(x, z) V W{z))\ 

= Vx[(P(x) V R(x)) => 3yS(x, y) A Vz(^S*(x, z) V Q(z) V W(z))\ 

and after that, by the Theorem (T15), we obtain: 

Vx[(P(x) V i?(x)) Bj/Sfo y) A Vz(S(x, z) => (Q(z) V W(z)))\, 

i.e. 

{PV R}S{QVW}. 

b. ) By the Theorem (Tig), the left side of the implication can be written as: 

Vx[(P(x) A R(x)) ((3yS(x, y) A Vz{S{x, z) => Q{z))) A (3yS(x, y) A Vz(S(x, z) W{z))))\ 
= Vx[(P(x) A R(x)) (3y5(x, y) A Vz(S(x, z) =► Q(z)) A Vz(S(x, z) W(*)))] 
= Vx[(P(x) A =► 3yS(x, y) A Vz((S(x, z) Q(z)) A (sfa;, z) VK(z)))] 

and 6y ^ e Theorem (T19), we obtain: 

Vx[(P(x) A R(x)) => 3yS{x, y) A Vz(S(x, z) => (Q(z) A W(z)))\, 
i.e. 

{PAR}S{QA W}. 

□ 

Colorallary 3.1 (Law of Resolution) The following S -formula is valid: 
{P}S{Q}A{^P}S{W} {t}S{Q\/W}. 

Proof. 

If we substitute R with ->P in the Theorem 3. 2. a.) we obtain: 

{P}S{Q}A{^P}S{W} => {PV^P}S{QWW}, 

i.e. 

{P}S{Q}A{^P}S{W} =>■ {t}S{Q\JW}. 

□ 
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Theorem 3.3 (Laws of Disjunction) The following S-formula is valid: 
{P}S{Q} V {R}S{W} {PAR}S{QVW}. 

Proof. 

Since: 

{P}S{Q} o Vx[P(x)=>(3yS(x,y)AVz(S(x,z)=>Q(z)))], 

{R}S{W} o Vx[R(x) => (3yS(x,y) AVz(S(x,z) W(z)))}, 

by the Theorem (T22), the left side of implication can be written as: 

Vx[(P(x) A R(x)) (3yS(x, y) A Vz(S(x, z) => Q{z))) V (3yS(x, y) A \/z(S(x, z) W{z)))] 
= Vx[(P(x) A R(x)) => 3yS(x, y) A Vz((S(x, z) Q(z)) V (S(x, z) W(z)))\ 
and by the Theorem (T20), we obtain: 

Vx[(P(x) A R(x)) => 3yS{x, y) A Mz{S{x, z) => (Q(z) V W(z)))], 
i.e. 

{P AR}S{QVW}. 



The proves of Theorems 3. 2. a), 3.2.6) and 3.3 in Coq are given in Appendix A. 

Theorem 3.4 (Laws of Conjunction and Disjunction) The following S-formulas are valid: 

a. ) {PVR}S{Q} {P}S{Q}A{R}S{Q}, 

b. ) {P}S{QAR} {P}S{Q}A{P}S{R}, 

c. ) {P V U}S{Q A W} {P}S{Q} A{U}S{W} A{P}S{W} A{U}S{Q}, 

d. ) {P}S{Q}\J {P}S{W} => {P}S{QVW}. 
Proof. 

a. ) The left side of the eqivalence can be written as: 

Vx[(P(x) V R(x)) 3yS(x, y) A Vz(S(x, z) => Q{z))} 
and by the Theorem (T 2 i), we obtain: 

Vx[(P(x) 3yS(x, y) A Vz(S(x, z) => Q{z))) A (R(x) 3yS(x, y) A Vz(5(x, z) => Q{z)))\, 

% G 

{P}S{Q}A{R}S{Q}. 

b. ) The left side of the eqivalence can be written as: 

Vx[P(x) 3yS(x, y) A Vz(S(x, z) (Q(z) A R(z)))} . 
Then, by the Theorem (Tig), we obtain: 

\/x[P(x) 3yS(x, y) A Vz(S(x, z) Q{z)) A Vz{S{x, z) R{z))} 
and after that, by the Theorem (T w ), we obtain: 

Mx[P{x) => 3yS{x, y) A Vz(S(x, z) => Q(z)) A 3yS(x, y) A Vz(S(x, z) => R(z))} 
and finally, by the Theorem (T19), we obtain: 

Mx[P{x) => 3yS(x, y) A Vz(S(x, z) Q{z))\ A Mx[P{x) 3yS(x, y) A Vz(S(x, z) R{z))\, 
i.e. 

{P}S{Q}A{P}S{R}. 

c. ) By the Theorem 3.4-Ci.), from the left side of the equivalence we obtain: 

{P V U}S{Q AW}<^ {P}S{Q AW} A {U}S{Q A W} 
and by the Theorem 3.4-b.), we obtain: 

{P}S{Q AW} A {U}S{Q AW}^ {P}S{Q} A {U}S{W} A {P}S{W} A {U}S{Q}. 
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d.) If we substitute R with P in the Theorem 3.3 we obtain: 
{P}S{Q} V {P}S{W} {P A P}S{Q V W} 
and by the Theorem (Tig), we obtain: 
{P}S{Q} V {P}S{W} =► {P}S{Q V VK}. 

□ 

Theorem 3.5 (General Law of the Excluded Miracle) The following S-formula is valid: 
{P}S{(b} (P <=> <b), i.e. {P}S{<b} -.P. 

Proof. 

TTie ie/t side o/ ifte equivalence can be written as: 
\/x[P(x) => (3yS{x, y) A Vz(S(x, z) => <f>(z)))]. 

Since the S-formula VxVz(S(x, z) <f>{z)) is valid ifMx^z^S(x, z) is valid, we obtain: 

\/x[P{x) => {3yS(x, y) A Vz^S(x, z))} 

= Vx[P{x) => <j){x)\ 

and by the Theorem (Tg), we obtain: 

\tx^P{x), 

i.e. 

-<P. 

□ 

Theorem 3.6 (Laws of Negation) The following S-formulas are valid: 

a. ) {P}S{Q}A{R}S{^Q} => -(PAP), 

b. ) {P}S{Q}A{P}S{^Q} & -ix^P(x), 

c. ) [{P}S{^Q} => ^{P}S{Q}] 3xP(x), 

d. ) {P}S{Q} A {^P}S{Q} & Vx3yS(x,y) A Va;Vz(5(x, z) => Q(x)), 

e. ) 3x3zS{x, z) A -.Q(z) =► [{^P}S{Q} => ->{P}S{Q}] . 
Proof. 

a.) If we substitute W with ->Q in the Theorem 3.2.b.), we obtain: 
{P}S{Q} A {R}S{^Q} =>■ {P A R}S{Q A -.Q} 
= {P}S{Q} A {ii}S{-.Q} =► {P A 
and ifte Theorem 3.5, we obtain: 
{P}S{Q} A {R}S{^Q} => -.(P A P). 

6.j //we substitute R with —iQ in the Theorem 3.4-b.), we obtain: 
{P}S{Q} A {P}S{^Q} <^> {P}S{Q A ->Q} 
= {P}S{Q} A {P}5{-.Q} & {P}S{cj>} 
and by the Theorem 3.5, we obtain: 
{P}S{Q}A{P}S{^Q}^^P, 
i.e. 

{P}S{Q} A {P}S{^Q} Vx->P(x). 
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c. ) By the Theorem (Ti 5 ) ; the left side of the equivalence become: 

^{P}S{^Q}V^{P}S{Q} 

and subsequently, by the Theorem (7i 2 ), we obtain: 

-^[{P}S{-^Q}A{P}S{Q}]. 

Then, by the Theorem 3.6.b.), we obtain: 

->\4x-*P{x)] 

and after that, by the Theorem (T e ), we obtain: 
3xP(x). 

d. ) If we substitute R with ->P in the Theorem 3.4-a.), we obtain: 

{py^p}S{Q} 

= {r}S{Q}. 

Since: 

{t}S{Q} o Vx[r(x)=>3yS(x,y)AVz(S(x,z)=>Q(z))], 
by the Theorem (Tg), we obtain: 
\/x[3yS(x, y) A Vz(S(x, z) => Q{z))\. 

e. ) By the Theorem (Ti 5 ) ; the right side of the equivalence can be written as: 

^P}S{Q}V^{P}S{Q} 

and by the Theorem (T12), we obtain: 

^P}S{Q}A{P}S{Q}\. 

Then, by the Theorem 3.6.d.), we obtain: 

-i\fx[3yS(x, y) A Vz(S(x, z) Q{z))] 

= 3x^[3yS(x, y) A Vz(S(x, z) Q{z))\ . 

By the Theorem (T13), we obtain: 

3x[-dyS(x, y) V -Vz{S(x, z) Q(z))\ 

= 3x[Vy^S(x, y) V 3z^(S(x, z) =► Q(z))\ 

and by the Theorem (T15), we obtain: 

3x[Vy^S(x, y) V 3z^S(x, z) V Q(z))} . 

After that, by the Theorem (T12), we obtain: 

3x[Vy^S(x, y) V 3z{S{x, z) A ^Q{z))] 

= 3xVy^S(x, y) V 3x3z(S(x, z) A ~^Q{z)) 

and finally, by the Theorem (T11), we obtain: 

3x3z(S(x, z) A -iQ(z)) 3x3z(S(x, z) A -^Q(z)) V 3xMy^S{x, y). 



□ 

The proves of Theorems 3.5, 3. 6. a) and 3.6.&) in Coq are given in Appendix A. 

Colorallary 3.2 The following S-formula is valid: 
{P}S{Q}A{P}S{^Q} (P**<f>). 

Proof. 

From the Theorem 3.6.b.) we obtain: 

Vx^P(x), 

i.e. 

{P^cj>). 



□ 
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Colorallary 3.3 The following S-formula is valid: 
[{P}S{^Q} =► ^{P}S{Q}} 

Proof. 

-From Theorem 3.6.c.) we obtain: 
3xP(x) 

= -,(S/x->P(x)), 
i.e. 

-n(P^). 

□ 

4 Special S'-Relations 

In Hoare logic, the so-called special syntax units such as if-then, if-then-else, while etc. are intro- 
duced by rules, whilst the assignment is defined through an axiom [1] [17]. In the S-calculus, things 
are different, since all special syntax units are treated as particular S-formulas. In other words, 
for every syntax unit we define an appropriate S'-relation that is a subset of the set A x A where A 
is the abstract state space. We will discuss the meaning of this on the example of assignment. Let 
a be a program variable of the type integer. The syntax unit a := 5; is an interpretation of the 
S-relation S a:= 5 ; , which transfers the virtual machine from the state x to the state y. The state x 
is interpreted as a state in which the variable a has some value from the its domain D int eger (i-e. 
a G Di n t e ger), and the state y is interpreted as a state in which the variable a has the value 5 (i.e. 
a = 5). Accordingly, we define the S'-relation S a:= 5 ; as a set of ordered pairs (a;, y), x, y G A where 
x : a G D in teger and y : a — 5, or as an S-formula \/x\/yS a .-^-{x, y) x : a G D int eger Ay : a = 5. 

Let x, y, j/i, y 2 , • • • , ym z G A, where A is abstract state set and let a be a program variable of 
the type Type. The definitions of special S-relations no-operation, assignment, if-then-else, if-then, 
sequence and while are as follows: 

Definition 4.1 (No-operation) S -relation S nop is defined as: 

a. ) set Snap = {(x, y)\x = y}, or 

b. ) S-forraula\/x\/yS n0 p{x,y) x = y. 

Definition 4.2 (Assignment) S-relation S a - =e] is defined as: 

a. ) set Sa-.=e; = {(x, y)\x i a G D TvP e A y : a = e}, or 

b. ) S-formula VxVj/S a:=e: (x, y) <^ x : a G Dx VV e Ay : a = e. 

Definition 4.3 (If-then-else) S-relation Sif-then-eise is defined as: 

a. ) set S if ^hen-else = {(x, y)\(B(x) A Si(x,y)) V {->B(x) A S 2 (x, y))}, or 

b. ) S-formula VxVyS 4/ _ tfte „_ eise (x, y) ^ (B(x) A Si(x,y)) V (^B(x) A S 2 {x,y)). 

Definition 4.4 (If-then) S-relation Si / -then is defined as: 

a. ) set Sif-then = {(x, y)\(B(x) A S(x, y)) V (->B(x) A S nop (x, y))}, or 

b. ) S-formula \/x\fyS lf - t hen(x,y) (B(x) A S(x,y)) V (^B(x) A S nop (x,y)). 
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Definition 4.5 (Sequence) S -relation S[s i; s 2 ] is defined as: 

a. ) set S[ Sl . S2 ] ^ {(x,y)\3z(Si(x, z) A S 2 (z,y))}, or 

b. ) S-formulaVx\/yS[ Sl ;S 2 ]( x >y) 3z(Si(x,z) A S 2 (z,y)). 

Definition 4.6 (While) S-relation S w hii e is defined as: 

a. ) set S whUe = {(x,y)\3y!,y 2 , ■ ■ ■ ,y n B(x) A S{x,yi) A B(y 1 ) A S(y 1 ,y 2 ) A B(y 2 ) A S(y 2 ,y 3 ) A 

• • • A B(y n ) A S(y n , y) A -iB(y)}, or 

b. ) S-formulaVxVyS wh iie(x,y) 3y\,y 2 , . . . ,y n B(x) A S(x,y\) A B{y\) A S(y\,y 2 ) A B(y 2 ) A 

5(2/2, 2/3 ) A • • • A B(i/ n ) A S(i/ n , y) A -.B(y). 

In the previous section, the theorems that represent the general laws of Hoare logic were proven. 
In this section, the special syntax units were analyzed using S-relations introduced by the appro- 
priate definitions. In this way, we have developed a mechanism for proving the correctness of 
syntax units with respect to the specification given. Every syntax unit is treated as an interpre- 
tation of the appropriate S-relation, and the program specification is modeled as an ordered pair 
of S-prcdicates (P,Q), where P is a precondition and Q is a postcondition. Apparently, proving 
syntax unit correctness conforms to proving the validity of the appropriate S-formula containing 
S-relation S and S-predicates P and Q. In addition to generality, one of the main advantages of 
this approach is simplicity, because the proof procedures do not require complicated mathematical 
apparatus. In order to prove program correctness and/or a new theorem it is sufficient to know 
first-order predicate calculus. 

Various theories related to program semantics description and analysis that use an interpreted 
set of states do not deal with variable declarations. The reason is that they use the vector of 
program variables to describe states, so the problem arises of how to deal with state descriptions 
when some program variables are not (yet) defined. Such a problem does not exist in the S- 
calculus because it relies on the abstract state space. For defining a variable declaration, we use 
an appropriate S-relation defined by: 

Definition 4.7 (Declaration) S-relation S a :Ty P e; is defined as: 

a. ) set S a ..Type; = {{x,y)\y : a G D Type }, or 

b. ) S -formula Vx\/yS a : T ype;(x,y) ^> y : a e D Type . 

The possibility of modeling variable declaration is of considerable importance, especially for 
languages where declaration is treated as an ordinary statement (as in C/C++), and even may 
appear anywhere in the source code (as in Java). Using the appropriate S-relation enables us to 
automate verification of such programs. Let us consider simple two programs written in C. 

4.1 Example 

Is the syntax unit written in C and given in Figure 1 correct with respect to the specification given 
as a pair of predicates (T, a — 10)? 

The given syntax unit is an interpretation of S-rclation S: 

S : a : integer: a := 5; if a > then a := 10 else a := 100; 

The specification is an ordered pair of S-predicates (P, Q) where the precondition is P : T 
and the postcondition is Q : a — 10. Now, we have to prove the validity of the S-formula 
{P}S{Q} o Mx[P{x) (3yS(x, y) A \fz(S(x, z) Q{z)))\. Apart from P, S and Q, we will use 
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int a=5; 
if (a > 0) 
a=10; 
else 

a=100; 



Figure 1: Example 4.1 

the following notation: 



Si 


a : 


integer; 


5 2 


a : 


— 5; if a > then a := 10 else a := 100; 


s 3 


a : 


= 5; 


S4 


if 


a > then a := 10 else a := 100; 


s 5 


a : 


= 10; 


s e 


a : 


= 100; 



R . (I (E D^nteger 

T : a = 5 
B : a > 

: a = 10 
f7 : a = 100 

We will prove total correctness of the 5- relation S with respect to the specification (t,W), 
i.e. we will prove that the formula {r}S'{VF} is valid. The S'-relation S is a sequence [SijSy. 
Consequently, according to the Definition 4.5, the following formula is valid: 

MxiyS{x,y) <^ 3zSi(x,z) A S 2 (z,y). (1) 

Further, we prove that the S'-relation S\ is totally correct with respect to the specification 
(r, R). Since Si is declaration of the program variable a : integer, according to the Definition 4.7, 
the following S'-formulas are valid: 

y : a £ -Dmteger: (2) 

MSi{fl}. (3) 

We proceed by proving that the S- relation S2 is correct with respect to the specification (R, W) , 
i.e. that the 5-formula {i?}S'{W} is valid. The 5-relation S2 is sequence [53554]. According to 
the Definition 4.5, it follows that the 5-formula 

VxVy5 2 (x, y) ^ 3zS 3 (x, z) A 5 4 (z, y) (4) 

is valid. The 5-relation 53 is assignment. According to the Definition 4.2, the following formulas 
are valid: 

VxVz53(x, z) <^> x : a G Di nteg er A z : a = 5, (5) 
{R}S 3 {T}, (6) 
B{z). (7) 



The 5-relations 5s and 56 are assignments. From the Definition 4.2, it follows that the formulas 
(8) - (11) are also valid: 
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while (i <= n) { 

f*=i; 

i++; 

} 

Figure 2: Example 4.2 

VzVyS 5 (z, y) <^ z : a e D integer Ay: a = 10, (8) 
{R}S 5 {W}, (9) 
Mz\/yS & (z, y) z : a e D integer Ay : a = 100, (10) 
{R}S 6 {U}. (11) 

Since T ==> i?, by the Theorem 3.1. a.), the following formulas are valid: 

{T}S 5 {W}, (12) 
{T}S 6 {t/}. (13) 

The S'-relation is if-then-else so, by the Definition 4.3, the following formula is valid: 
VzVyS 4 (z, y) & (B(z) A S 5 (z, y)) V (^B(z) A 5 6 (^, y)). (14) 

From (7), (12) and (14) we infer the validity of the formula: 
{T}S 4 {W}. (15) 

From (4), (6) and (15) we conclude: 
{R}S 2 {W}. (16) 

From (1), (3) and (16) we conclude: 
{t}S{W}. 

Since P => r and W => Q, from the Theorem 3. I.e.) we conclude that the formula 
{P}S{Q} 
is valid, Q.E.D. 

4.2 Example 

Is the syntax unit written in C and given in Figure 2 correct with respect to the specification given 
as a pair of predicates (i = 2An = 4A/ = l,/ = 24)? 
The given syntax unit is an interpretation of 5-relation S: 

S : while i <= n do begin f :=/*«; i := i + 1; end; 

We have to prove the validity of {P}S{Q}, where P:i = 2An = 4A/ = l and Q : f = 24. 
Apart from S, P and Q, we will use the following notation: 



S-Program Calculus 



R: z = 5An = 4A/ = 24 
B : i < = n 

Si ■ f := f *i; i := i + 1; 
<S 2 : / := / * i; 
S 3 : i:=i + l; 

According to the Definition 4.2, the following formulas are valid: 

VxVzi5 2 (x, zi) z:i = 2An = 4A/ = l A zi : « = 2 A n = 4 A / = 2, 
Vzi4yiSz{zuVi) «■ zi : i = 2An = 4A/ = 2 A j/i:i = 3An = 4A/ = 2 

and by the Definition 4.5, we obtain: 

Va;Vj/i5i(a;,j/i) 4^ x:i = 2An=4A/ = l A j/i:i = 3An = 4A/ = 2. 

From the S'-formula (17) we conclude that the following formulas are valid: 

VxB(x), 
VyiB(yi). 

According to the Definition 4.2, the following formulas are valid: 

Myiiz 2 S 2 {yx,z 2 ) yi : i = 3 An = 4 A / = 2 A z 2 : « = 3 An = 4 A/ = 6, 
Vz 2 VV2S3 (-22, 2/2) z 2 : « = 3 A n = 4 A / = 6 A j/ 2 :j = 4An = 4A/ = 6 

and by the Definition 4.5, we obtain: 
VyiVyaS 1 !^!,^) <=> 1/1 :i = 3An = 4A/ = 2 A y 2 :i = 4An = 4A/ = 6. 

From the S'-formula (20) we conclude that the following formula is valid: 
Vy 2 B(y 2 ). 

According to the Definition 4.2, the following formulas are valid: 

vV 2 Vz 3 S 2 (i/2, z 3 ) <=> y 2 :i = 4An = 4A/ = 6 A z 3 : j = 4 An = 4 A/ = 24, 
\/z 3 \/yS 3 {z 3 ,y) ^ z 3 : i = 4 An = 4 A / = 24 A y:i = 5An = 4A/ = 24 

and by the Definition 4.5, we obtain: 
Vy 2 Vy £1(2/2, y) 1/2 :i=4An = 4A/ = 6 A y:i = 5An = 4A/ = 24. 

From the S'-formula (22) we conclude that the following formula is valid: 
Vy-.S(tf). 

From the S-formulas (17) - (23) we conclude that the following formula is valid: 
VxVyS(x, y) & 3 yi ,y 2 B{x) A S^x, yi) A B( yi ) A Si(yi,y 2 ) A S(y 2 ) A Si(y 2 , y) A ->B 
and conclude that the following formula is valid: 
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{P}S{R}. 

Since R => Q, from the Theorem 3.1.6.) we conclude that the formula 

{P}S{Q} 

is valid, Q.E.D. 

5 Proofs of Dijkstra's Theorems on the Weakest Precondi- 
tion 

In the previous two sections, we have shown how to apply the S-calculus to prove program cor- 
rectness. In this section, we will demonstrate the use of S'-calculus for proving general theorems 
in a strictly formal way. As an example, we will consider Dijkstra's theorems on the weakest pre- 
condition wp, namely the laws of the excluded miracle, monotonicity, conjunction and disjunction. 
While being correct, the original proofs [14] [18] are not strictly formal, so our task will be to pro- 
vide full formalization. In addition, we will establish yet another general law, the law of negation 
(Theorem 5.5), in order to provide a more complete insight to the behavior of the operator wp. 
The section ends with the formal proof of Dijkstra's theorem on total correctness. Some of the 
above-mentioned theorems will be proven in Coq. 

Definition 5.1 (The Weakest Precondition) The weakest precondition of S-relation S with 

respect to postcondition Q is S-predicate wp(S, Q) if: 

(WP!) {wp(S,Q)}S{Q}, 

(WP 2 ) {P}S{Q} Vx(P(x) wp(S,Q)(x)). 



Theorem 5.1 (Dijkstra's Law of the Excluded Miracle) The following S-formula is valid: 
wp(S, <f>) <f>. 

Proof. 

According to (WP\) in the Definition 5.1, we obtain: 

{w P (s, msm 

and by the Theorem 3. 5, we conclude that the following formula is valid: 
wp(S, (j>) 4>. 

□ 

Theorem 5.2 (Dijkstra's Law of Monotonicity) The following S-formula is valid: 
(Q^>R) => (wp{S, Q) wp(S, R)). 

Proof. 

According to (WP\) in the Definition 5.1, we obtain: 
{w P (S,Q)}S{Q} 

and by the Theorem S.l.b.) we conclude that the following formula is valid: 
{wp(S,Q)}S{Q} AVx{Q{x) ^ R(x)) {wp(S,Q)}S{R}. 



S-Program Calculus 



17 



According to (WP2) in the Definition 5.1, we obtain: 
(3) wp(S,Q) =>wp(S,R). 



□ 



Theorem 5.3 (Dijkstra's Law of Conjunction) The following S-formula is valid: 
wp(S,Q) Awp(S,R) wp(S,QAR). 

Proof. 

First, let us prove the left-right implication: 
wp(S,Q) Awp(S,R) =>• wp(S,QAR). 

According to (WP\) in the Definition 5.1, we obtain the following S -formulas: 

{wp(S,Q)}S{Q}, 

{wp(S, R)}S{R}. 

By the Theorem 3.2.b.), we obtain: 

{wp(S,Q)}S{Q}A{wp{S,R)}S{R} {wp(S, Q) A wp(S, R)}S{Q A R} 

and according to (WP2) in the Definition 5.1, we obtain: 

wp(S,Q) Awp(S,R) =>• wp(S,QAR) 

and conclude that the left-right implication is valid. 

Further, let us prove the right-left implication: 

wp{S,QAR) => wp(S, Q) A wp(S, R). 

According to (WP\) in the Definition 5.1, we obtain following S-formula: 

{wp(S, Q A R)}S{Q A R}. 

By the Theorem S.^.b.), we obtain: 

{wp{S, Q A R)}S{Q} A {wp(S, Q A R)}S{R} 

and according to (WP2) in the Definition 5.1, we obtain: 

{wp(S, Q AR) wp(S, Q)) A (wp{S,Q A R) => wp(S,R)). 

After that, by the Theorem (Tig), we obtain: 

wp(S,QAR) => wp(S, Q) A wp(S, R) 

and conclude that the right-left implication is valid. 

Since both implications are valid, we conclude that the starting eguivalence is valid. 



□ 



Theorem 5.4 (Dijkstra's Law of Disjunction) The following S-formula is valid: 
wp(S,Q)Vwp(S,R) => wp(S,QvR). 

Proof. 

By the Theorem 3. 2. a.), we obtain: 

{w P {S,Q)}S{Q}A{wp(S,R)}S{R} {wp(S, Q) V wp(S, R)}S{Q V R} 
and according to (WP2) in the Definition 5.1, we obtain: 
wp(S,Q)Vwp(S,R) wp(S,QvR). 



□ 
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Theorem 5.5 (Law of Negation) The following S-formula is valid: 
-,(wp(S,Q)Awp(S, -,Q)). 

Proof. 

According to (WP\) in the Definition 5.1, if we substitute P with wp(S,Q) and R with 
wp(S,^Q) in the Theorem 3.6.a.), we obtain: 
->(wp(S,Q) Awp(S, -.Q). 

□ 

Theorem 5.6 (Dijkstra's Theorem on Total Correctness) The following S -formula is valid: 
{P}S{Q} (P^wp(S,Q)). 

Proof. 

First, let us prove the left-right implication: 
{P}S{Q} => (P^wp(S,Q)). 

According to (WP2) in the Definition 5.1, we conclude that the left-right implication is valid. 
Further, let us prove the right-left implication: 
(P^wp(S,Q)) => {P}S{Q}. 

According to (WP±) in the Definition 5.1, we obtain following S-formula: 
{wp(S,Q)}S{Q}. ' 

If we substitute R with wp(S,Q) in the Theorem 3.1. a.), we obtain: 
Vx(P{x) => wp(S, Q)(x)) A {w P (S, Q)}S{Q} =► {P}S{Q} 
and conclude that the right-left implication is valid. 

Since both implications are valid, we conclude that the starting equivalence is valid. 

□ 

The proves of Theorems 5.1, 5.5 and 5.6 in Coq are given in Appendix A. 

6 Conclusions 

In this paper, we have developed the S-calculus, which represents a powerful mathematical tool 
for program semantics analysis. The S'-calculus is based on axioms and theorems of first-order 
predicate logic and uses S-formulas, which are defined on the abstract state space of a virtual 
machine. Proving program correctness and/or establishing new theorems conform to proving the 
validity of the appropriate S-formula, and for that, we need only the first-order predicate logic. 
Since the problem of indeterminism does not exist, S'-calculus can consider total/partial correctness 
without the need for additional concepts and formulas. Owing to its generality, the S-calculus can 
cope with the semantics of variable declaration, where some other theories fail (the ones that are 
based on the interpreted set of states). 

The mathematical mechanism developed in this paper, apart from being general, brings together 
Hoare's ideas and first-order predicate logic. It also enables automatic proofs of program correctness 
and/or new theorems. In this paper, we have provided strictly formal proofs for the general laws 
of Hoare logic and Dijkstra's theorems on the weakest precondition. Moreover, we have proven an 
additional law related to the weakest precondition, namely the law of negation. As an example, 
some of the theorems are proven using Coq automatic prover. 

Our future research in the area of S-calculus will be aimed towards investigating more complex 
properties and relationships that exist between preconditions, postconditions and syntax units, 
especially in the object-oriented environment. The second line of work will be development of 
algorithms for automated program correctness proofs, thus providing a practical aspect to S'- 
calculus. 
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A Appendix 

Theorem 3.1. a.): 

Variable A: Set. 
Variables P Q R: A->Prop. 
Variable S: A->A->Prop. 
Theorem t31a : 
((forall x:A,(P x->R x)) /\ 

(forall x:A, (R x ->((exists y:A, S x y)/\(forall z:A, (S x z ->Q z )))))) -> 
(forall x, (P x ->((exists y, S x y)/\(forall z, (S x z ->Q z ))))). 
f irstorder . 



Theorem 3.1.6.): 

Variable A: Set. 
Variables P Q R: A->Prop. 
Variable S: A->A->Prop. 
Theorem t31b : 

((forall x:A, (P x ->((exists y:A, S x y)/\(forall z:A, (S x z ->Q z ))))) /\ 
(forall z:A,(Q z->R z))) -> 

(forall x, (P x ->((exists y, S x y)/\(forall z, (S x z ->R z ))))). 
f irstorder . 



Theorem 3. I.e.): 

Variable A: Set. 

Variables P Q U V: A->Prop. 

Variable S: A->A->Prop. 

Theorem t31c : 

((forall x:A,(U x->P x)) /\ 

(forall x:A, (P x ->((exists y:A, S x y)/\(forall z:A, (S x z ->Q z ))))) /\ 
(forall z:A,(Q z->V z))) -> 

(forall x, (U x ->((exists y, S x y)/\ (forall z, (S x z ->V z ))))). 
f irstorder . 



Theorem 3. 2. a.): 

Variable A: Set. 
Variables P R Q W: A->Prop. 
Variable S: A->A->Prop. 
Theorem t32a : 

((forall x:A, (P x -> ((exists y:A, S x y) /\ (forall z:A, (S x z->Q z ))))) /\ 
(forall x:A, (R x -> ((exists y:A, S x y)/\ (forall z:A, (S x z->W z )))))) -> 
(forall x:A, ((P x \/ R x) -> ((exists y:A, S x y)/\ (forall z:A, (S x z->(Q z \/ W 
z)))))). 
f irstorder . 
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Theorem 3.2.6.): 

Variable A: Set. 
Variables P Q R W: A->Prop. 
Variable S: A->A->Prop. 
Theorem t32b : 

((forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z ))))) /\ 
(forall x:A, (R x -> ((exists y:A, S x y)/\(forall z:A, (S x z->W z )))))) -> 
(forall x:A, ((P x /\ R x) -> ((exists y:A, S x y)/\(forall z:A, (S x z->(Q z /\ W 
z)))))). 
f irstorder . 



Theorem 3.3: 

Variable A : Set . 
Variables P Q R W: A->Prop. 
Variable S: A->A->Prop. 
Theorem t33 : 

((forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z ))))) \/ 
(forall x:A, (R x -> ((exists y:A, S x y)/\(forall z:A, (S x z->W z )))))) -> 
(forall x:A, ((P x /\ R x) -> ((exists y:A, S x y)/\(forall z:A, (S x z->(Q z \/W 
z)))))). 
f irstorder . 



Theorem 3.5: 

Variable A: Set. 
Variables P : A->Prop. 
Variable S: A->A->Prop. 
Definition phi (x:A) := False. 
Theorem t35 : 

(forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->phi z)))) <-> 
(P x<->phi x)) . 
f irstorder . 



Theorem 3. 6. a): 

Variable A: Set. 
Variables P Q R: A->Prop. 
Variable S: A->A->Prop. 
Theorem t36a : 

((forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z))))) /\ 
(forall x:A, (R x -> ((exists y:A, S x y)/\(forall z:A, (S x z->(-Q z))))))) -> 
(forall x:A, (-(P x /\ R x))). 
f irstorder . 
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Theorem 3.6.6): 

Variable A: Set. 
Variables P Q: A->Prop. 
Variable S: A->A->Prop. 
Theorem t36b : 

((forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z))))) /\ 
(forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->(-Q z))))))) <-> 
(forall x:A, (~(P x))) . 
f irstorder . 



Theorem 5.1: 

Variable A: Set. 
Variables P wpSphi : A->Prop. 
Variable S: A->A->Prop. 
Definition phi (x:A) := False. 
Axiom wpSphil : 

forall x:A, (wpSphi x -> ((exists y:A, S x y)/\(forall z:A, (S x z->phi z)))). 
Axiom wpSphi2 : 

forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->phi z)))) -> 
(P x->wpSphi x) . 

Theorem t51 : forall x:A, (wpSphi x <-> phi x) . 
f irstorder using wpSphil wpSphi2. 



Theorem 5.5: 
Variable A: Set. 

Variables P Q R wpSQ wpSNQ : A->Prop. 
Variable S: A->A->Prop. 
Axiom wpSQl : 

forall x:A, (wpSQ x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z)))). 
Axiom wpSQ2 : 

forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z)))) -> 
(P x->wpSQ x) . 
Axiom wpSNQl : 

forall x:A, (wpSNQ x -> ((exists y:A, S x y)/\(forall z:A, (S x z->(— (Q z)))))). 
Axiom wpSNQ2 : 

forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->(-(Q z)))))) -> 
(P x->wpSNQ x) . 

Theorem t55 : forall x:A, (-((wpSQ x)/\(wpSNQ x))). 
f irstorder using wpSQl wpSQ2 wpSNQl wpSNQ2 . 
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Theorem 5.6: 

Variable A: Set . 
Variables P Q wpSQ: A->Prop. 
Variable S: A->A->Prop. 
Axiom wpSQl : 

forall x:A, (wpSQ x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z)))). 
Axiom wpSQ2 : 

forall x:A, (P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z)))) -> 
(P x->wpSQ x) . 
Theorem t56 : 

forall x:A, ((P x -> ((exists y:A, S x y)/\(forall z:A, (S x z->Q z)))) <-> 
((P x)->(wpSQ x))) . 
firstorder using wpSQl wpSQ2. 



